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• Installation and dependencies 
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• Questions 



What is it? 


^ Ethe real^ 


• Open Source Network Protocol Analyzer 

• Released under GNU Public License (it’s free) 

• Runs on all flavors of Unix, Linux, Windows 

• Prebuilt binaries and source code are available 

• Original author: Gerald Combs 

• Over 200 contributors, including members of Samba 
Team 

• Defacto standard among open source community 

• Website: www.ethereal.com 



Ethereah 


For the impatient... (What is it, part 2) 


sj 



cifsclient-krt)5 

auth-ok-( 

.trace - Ethereal 

File 

Edit Capture Display Tools 



Help | 

No.. 

Time 

Source 

Destination 

Protocol 

Info 

1 

0.000000 hpntc263.cup.hp.com 

hpntc825.cup.hp.com 

KRB5 

AS-REQ 

2 

0.003225 hpntc825.cup.hp.com 

hpntc263.cup.hp.com 

KRB5 

KRB-ERROR 

3 

1.725024 hpntc263.cup.hp.com 

hpntc825.cup.hp.com 

KRB5 

AS-REQ 

_1 

1.732516 

hpntc825.cup.hp.com 

hpntc263. cup .hp.com 

KRB5 

AS-REP 


11 9.G002B9 

12 9.G00821 

13 9.604385 

14 9.605424 

15 9.644947 

16 9.652970 

18 9.734999 

19 9.740916 


hpntc263.cup.hp.com 
hpntc723.cup.hp.com 
hpntc263.cup.hp.com 
hpntc723.cup.hp.com 
hpntc263.cup.hp.com 
hpntc825.cup.hp.com 
hpntc263.cup.hp.com 
hpntc723.cup.hp.com 


hpntc723.cup.hp.com NB9S 
hpntc263.cup.hp.com NBSS 
hpntc723.cup.hp.com SMB 
hpntc263.cup.hp.com SMB 
hpntc825.cup.hp.com KRB5 
hpntc263.cup.hp.com KRB5 
hpntc723.cup.hp.com SMB 
hpntc263,cup.hp.com SMB 


Session request, to HPNTC723<20> from HPNTC263<20> 

Positive session response 

Negotiate Protocol Request 

Negotiate Protocol Response 

TGS-REQ 

TGS-REP 

Session Setup AndX Request 

Session Setup AndX Response[Unreassembled Packet! 


T 


n Frame 4 <1421 bytes on wire, 1421 bytes captured) 


E Ethernet II, Src: 08;00:09:cb:99;8a, Bst: 0011018310319f126 

E Internet Protocol, Src Addr: hpntc825.cup.hp.com (15.13.115.184), Bst Addr: hpntc263.cup.hp.com (15.13.114.212) 
B User Datagram Protocol, Src Port: kerberos5 (88), Dst Port: 53016 (53016) 

B Kerberos 

Version: 5 
MSG Type: AS-REP 
E Pre-Authentication 
Type: PA-PW-SALT 

Value: 524B57494E324B2D4E41544956452E43... 
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Filter: 

nbss || smb || kerberos / 

Reset 

Apply 

File: cifsclient-krb5-auth-ok-O.trace 











































Features... 


Ethe real^ 


• Graphical user interface 

• Rich syntax for capture and display filters 

• Over 370 network protocols decoded, as of latest 
version; Ver. 0.9.9, released Jan. 23, 2002, includes 
GSS-API, NTLM, SPNEGO, Win2k security blobs 

• Reads and writes capture files in many formats: 

■ libpcap (tcpdump) ■ nettl (HP-UX) 

■ Network Monitor (Microsoft) ■ iptrace (AIX) 

■ LanAnalyzer (Novell) ■ snoop (Sun) 

■ Sniffer and NetXray (Network Associates) 

■ ...and several others 


...Features 


^ Ethe real^ 


• Interactive GUI facility for building display filters 

• Distributions include text-based interface ( tethereal ) 
similar to tcpdump, programmatic capture-editor and 
converter ( editcap ), manpages for Unix and Linux (or 
via web for Windows) 

• Analysis of live or saved network traces (packets can 
be examined while capture is active) 

• Prints captures as plain text or postscript to file or 
printer 

• Updated often (1-3 month intervals) with new 
protocol decodings or enhancements to existing 
decoders 


Ethe real^ 


Comparison to Network Monitor... 



Ethereal 

Network Monitor 

Free 

yes 

no 

Updated often 

yes 

no 

Windows installation 

easy 

easy 

Linux installation 

easy 

not available 

Initial HP-UX installation 

swinstall 1 

not available 

Unix updates 

easy 

not available 

New decoder availability for 
various protocols 

under continuous 
development 

difficult-to- 
impossible to obtain 


!see Installation and Dependencies 





® Ethe real^ 


...Comparison to Network Monitor... 



Ethereal 

Network Monitor 

Supports complex display 
filters 

yes 

no 

Can run multiple instances 

yes 

yes 

Reads and writes formats of 
most other vendors' sniffers 

yes 

no 

Number of protocols 

-370 and 

78 

decoded 

counting 


To capture traffic between 
host_A and host_B 

specify 

hostnames 

manually add 
hostnames to database 
by ip or hardware 
address, then select 
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Ethe real^ 


...Comparison to Network Monitor... 



Ethereal 

Network Monitor 

Decodes CAPJJNIX bit 

yes 

no 

Decodes CIFS Unix Extensions 

yes 

no 

Opens any number of packets 
each in its own window 

yes 

no 

Allows filters to be saved 

yes 

yes 

Supports fancy color 
configuration, by protocol 

yes 

yes 

Features powerful GUI filter- 
expression builder 

yes 

no 
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Ethe real ^ 


...Comparison to Network Monitor... 


Screenshot la: kinit(i) captured with Network Monitor 
5.0 on Win2k, filter definition: 

■ host_A host_B 

■ broadcast host_A 

■ broadcast host_B 


KRE> 5 _AS_REQ/REP packets not 
recognized; displayed only as 
encapsulated UDP data 







































...Comparison to Network Monitor... 

Screenshot lb: hex dump of KRBs_AS_REQ with Network 
Monitor 

• non-printing characters represented by “smileys” 

• 16-byte continuous rows 

• lines spaced at 1.5 
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User Datagram Protocol packet F#: 1/5 

joff: 34 (x22) 

!L: 8 (x8) 


Ethereat 
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...Comparison to Network Monitor... 


Screenshot 2a: kinit(i) captured with Ethereal 0.9.4 on 
HP-UX 11.0, filter definition: 

■ host_A host_B 


• krB5_as_req/rep packets recognized, and... 



2 0.003210 HP.cb:99:8a Broadcast ARP Who has 15.13.114.212? Tell 15.13.115.184 

3 0.003288 Hewlett-_03:9f:26 HP_cb:99:8a ARP 15.13.114.212 is at 00:10:83:03:9f:26 

4 0.003G3G 15.13.115.184 15.13.114.212 KRB5 KRB-ERR0R 

5 1.801654 15.13.114.212 15.13.115.184 KRB5 AS-REQ 

6 1.807832 15.13.115.184 15.13.114.212 KRB5 AS-REP 
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^ Ethereal »-| _ ... Co m pa ri so n to Network Monitor ... 

Screenshot 2b: KRBs_AS_REQ with Ethereal 
• ...Kerberos packets are decoded in detail 


n Frame 1 (241 bytes on wire, 241 bytes captured) 


0 Ethernet II, Src: 00:10;8S;03;9f;26, Dst: 08;00;09:cb:99:8a 

0 Internet Protocol, Src flddr: 15.13.114.212 (15.13.114.212), Dst ftddr: 15.13.115.184 (15.13.115.184) 

0 User Datagram Protocol, Src Port: 61469 (61469), Dst Port: kerberos5 (88) 

0 Kerberos 

Version: 5 
MSG Type: AS-REQ 
0 Request 

Options: 0000000000 
0 Client Name: eric 
Type: Principal 
Name: eric 

Realm: RKUIN2K-N8TIVE.CUP.HP.COM 
0 Server Name: krbtgt 
Type: Unknown 
Name: krbtgt 

Name: RKUIN2K-N8TIVE.CUP.HP.COM 
Start Time: 2003-01-27 07:38:38 (Z> 

End Time: 2003-01-27 17:38:38 (Z) 

Random Number: 1043653118 
0 Encryption Types 

Type: des-cbc-md5 
0 8ddresses 

Type: IPv4 

Value: 15.13.114.212 

II S 

•J 1^- 

J 
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Ethereal > 


...Comparison to Network Monitor... 


Screenshot 2c: KR.B5_AS_R.EQ with Ethereal 

• non-printing characters represented by dots 

• 16-byte rows divided down middle 

• lines spaced at 1.0 
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...Comparison to Network Monitor... 


Note Ethereal’s superior clock resolution (time column) in 
the summary panes to that of Network Monitor. Ethereal on 
Windows 2000 yields similarly impressive results. 



File Edit Capture Display Tools Help 


No.. Time Source 

Destination 

Protocol 

Info 

1 0.000000 15.13.114.212 

15.13.115.184 

KRB5 

AS-REQ 

2 0.003210 HP_cb:99:8a 

Broadcast 

ARP 

Who has 15.13.114.212? Tell 15.13.115.184 

3 0.003288 Hewlett-_03:9f:26 

HP.cb:99:8a 

ARP 

15.13.114.212 is at 00:10:83:03:9f:26 

4 0.003G3G 15.13.115.184 

15.13.114.212 

KRB5 

KRB-ERR0R 

5 1.801654 15.13.114.212 

15.13.115.184 

KRB5 

AS-REQ 

G 1.807832 15.13.115.184 

15.13.114.212 

KRB5 

AS-REP 



































Getting started: tcpdump capture filters... 


® Ethe real^ 


What is tcpdump ? 

• Open-source text-based network trace facility 

• Well-known, standard utility, in use for over ten years 

• Originally developed at Lawrence Berkeley National Lab 

• Uses the libpcap library to capture network traffic 

• tcpdump and libpcap are actively maintained by The 
tcpdump Group (www.tcpdump.com) 

• Advantages of tcpdump: 

• consumes minimal system resources (no X processing) 

■ easy to use, yet supports complex filtering syntax ( libpcap ) 

■ detail of output can be controlled, header to full dump 

■ does respectable job decoding and formatting SMBs 
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® Ethe real^ 


...Getting started: tcpdump capture filters... 


• Ethereal uses the libpcap packet-capture library of 
tcpdump (www.tcpdump.org), so libpcap filter syntax is 
used in Ethereal. 

• The libpcap filter language allows for complex constructs. 
“This is explained in the tcpdump man page. If you can 
understand it, you are a better man than I...” 

-Ethereal User’s Manual 

• Basic syntax structure: 

[not] primitive [and|or [not] primitive ...] 
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& Ethe real —| ...Getting started: tcpdump capture filters... 

■-i -—--- 

tcpdump examples: 

• Capture packets from host A to host B ( A and B can be 
specified as hostnames or IP addresses): 

$ tcpdump src A and dst B 

• Capture all traffic between host A and host B : 

$ tcpdump host A and host B 

or between three hosts: 

$ tcpdump \( host A and host B \) \ 
or \( host B and host C \) \ 
or \( host C and host A \) 
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& Ethe real —| ...Getting started: tcpdump capture filters... 

■-i -—--- 

More tcpdump examples: 

• Capture all telnet traffic not from ip address 10 . 0 . 0 . 5 : 

$ tcpdump tcp port 23 and \ 
not host 10.0.0.5 

• Capture only SMBs: 

$ tcpdump tcp[24:4] = 0xff534d42 

• From the tcpdump manpage: 

To print the start and end packets (the SYN and FIN 
packets) of each TCP conversation that involves a non¬ 
local host: 

$ tcpdump 'tcp[13] & 3 != 0 and \ 
not src and dst net localnet' 


19 


% Ethe real^ ... Getti ng sta rted: tcpdump captu re fi Iters... 

■-i -—--- 

• For most purposes, host a [and host b [...]] is 
sufficient: 


# tcpdump -q host hpntc825 and host 
tcpdump: listening on lanl 
16:09:09.496741 hpntc263.cup.hp.com, 
16:09:09.518131 hpntc825.cup.hp.com. 
16:09:09.537570 hpntc263.cup.hp.com, 
16:09:09.538296 hpntc825.cup.hp.com, 
16:09:09.547261 hpntc263.cup♦hp.com, 
16:09:09.547927 hpntc825.cup.hp.com, 
16:09:09.558142 hpntc263.cup.hp.com, 
16:09:09.558815 hpntc825.cup.hp.com, 
16:09:09.567772 hpntc263,cup.hp.com. 
16:09:09.568483 hpntc825.cup.hp.com, 
16:09:09.601944 hpntc263.cup.hp.com, 
16:09:09.602796 hpntc825.cup.hp.com, 
16:09:09.612554 hpntc263.cup.hp.com, 
16:09:09.613349 hpntc825.cup.hp.com, 
16:09:09.622078 hpntc263.cup.hp.com, 
16:09:09.622812 hpntc825.cup.hp.com, 
16:09:09.632253 hpntc263.cup.hp.com, 
16:09:09.632998 hpntc825.cup.hp.com, 
16:09:09,642961 hpntc263.cup.hp.com. 
16:09:09.643692 hpntc825.cup.hp.com, 
16:09:09.652259 hpntc263.cup.hp.com, 
16:09:09.653015 hpntc825.cup.hp.com, 


hpntc263 


hpntc263 

63412 > hpntc825.cup.hp.com.netbios_ssn: 
netbios_ssn > hpntc263.cup.hp.com.63412: 
63412 > hpntc825.cup.hp.com.netbios_ssn: 
netbios.ssn > hpntc263.cup.hp.com.63412: 
63412 > hpntc825.cup.hp.com.netbios.ssn: 
netbios.ssn > hpntc263.cup.hp.com.63412: 
63412 > hpntc825,cup.hp.com.netbios.ssn: 
netbios.ssn > hpntc263.cup.hp.com.63412: 
63412 > hpntc825.cup.hp.com.netbios.ssn: 
netbios.ssn > hpntc263.cup.hp.com.63412: 
63412 > hpntc825.cup.hp.com.netbios.ssn: 
netbios.ssn > hpntc263.cup.hp.com.63412: 
63412 > hpntc825.cup.hp.com.netbios.ssn: 
netbios.ssn > hpntc263.cup.hp.com.63412: 
63412 > hpntc825.cup.hp.com.netbios.ssn: 
netbios.ssn > hpntc263.cup.hp.com.63412: 
63412 > hpntc825.cup.hp.com.netbios.ssn: 
netbios.ssn > hpntc263.cup.hp.com.63412: 
63412 > hpntc825.cup.hp,com.netbios_ssn: 
netbios.ssn > hpntc263.cup.hp.com.63412: 
63412 > hpntc825.cup.hp.com.netbios.ssn: 
netbios.ssn > hpntc263.cup.hp.com.63412: 


tcp 

88 


tcp 

488 

(DF) 

tcp 

108 


tcp 

105 

(DF) 

tcp 

112 


tcp 
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(DF) 

tcp 

116 


tcp 

114 

(DF) 

tcp 

108 


tcp 

107 

(DF) 

tcp 

104 


tcp 

104 

(DF) 

tcp 

104 


tcp 

105 

(DF) 

tcp 

104 


tcp 

105 

(DF) 

tcp 

104 


tcp 

104 

(DF) 

tcp 

108 


tcp 

106 

(DF) 

tcp 

104 


tcp 

102 

(DF) 


A 


Notes: host representation = host.domain.port 
tcp x = length of tcp segment 
DF = do-not-fragment flag 
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Ethe real^ ... Getti ng sta rted: tcpdump captu re fi Iters... 

■-i -—--- 

• tcpdump also does respectable job decoding SMBs 
(decoder written by Andrew Tridgell of Samba Team) 


hpntc263 


$ tcpdump -wv host hpntc825 and host hpntc263 
[listening on lanO... 

16:37:22.339266 hpntc263.cup.hp.com.64652 > hpntc825.cup.hp.com.netbios_ssn: P 3613323236:3613323324(88) 

ack 4249154160 win 32768 

»> NBT Packet 

NBT Session Packet 

Flags=0x0 

Length=84 (0x54) 

SMB POCKET: SMBtrans2 (REQUEST) 

SMB Command = 0x32 

Error class = 0x0 

Error code = 0 (0x0) 

Flagsl = 0x62 

Flags2 = 0x3 

Tree IB = 2055 (0x807) 

Proc ID =0 (0x0) 

UID = 2050 (0x802) 

MID = 104 (0x68) 

Word Count = 15 (Oxf) 

TRANSACT2_FINDFIRST param_length=15 data_length=0 
TotParam=15 (Oxf) 

TotData=0 (0x0) 

MaxParam=64 (0x40) 

MaxData=32768 (0x8000) 

MaxSetup=0 (0x0) 

Flags=0x0 
Time0ut=0 (0x0) 

Resl=0x0 

ParamCnt=15 (Oxf) 

Param0ff=68 (0x44) 

DataCnt=0 (0x0) 

Data0ff=0 (0x0) 

SetupCnt=l (0x1) 

T ransactionName=SMB2 
Attribute=HIDDEN SYSTEM DIR 
SearchCount=63 (0x3f) 

Flags=0x2 
Level=260 (0x104) 

File=* 


A 


m 
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Ethereal ■ 


...Getting started: tcpdump capture filters 
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Ethereal ■ 


Getting started: active trace 


A trace in progress: 


The Ethereal Network Analyzer 


File Edit Capture Display Jools 


Help 


No. . 

Tirm Start... 

Ctl+K j 

Destination 

3 rotocol 

15 

Stop 

rtl+F lp.cup.hp.com 

hpntc2b3.cup.hp.com 

bflU 

14 



hpntc825.cup,hp.com 

SMD 

15 

0.131787 

hpntc825.cup.hp.com 

hpntc263.cup.hp.com 

SMD 

18 

0.184023 

hpntc263♦cup♦hp♦com 

hpntc825 * cup * hp * com 

TCP 

17 

20.070371 

hpntc723.cup.hp.com 

hpntc825.cup.hp.com 

SMD 

18 

20.070762 

hpntc825.cup.hp.com 

hpntc723.cup.hp.com 

SMB 

19 

20.071280 

hpntc723,cup.hp.com 

hpntc825,cup,hp,com 

SMB 

20 

20.071788 

hpntc825.cup.hp.com 

hpntc723.cup.hp.com 

SMB 

21 

20.080265 

hpntc723♦cup♦hp♦com 

hpntc825♦cup♦hp * com 

SMB 

22 

20.080722 

hpntc825.cup.hp.com 

hpntc723,cup.hp.com 

SMB 

23 

20.082607 

hpntc723.cup.hp.com 

hpntc825.cup.hp.com 

SMB 

24 20.083007 

hpntc825.cup.hp.com 

hpntc723,cup,hp.com 

SMB 

25 

20.209903 

hpntc723.cup.hp.com 

hpntc825.cup.hp.com 

TCP 

26 

31.413004 

hpntc723♦cup♦hp♦com 

hpntc825♦cup * hp * com 

SMB 

27 

31.413255 

hpntc825.cup.hp.com 

hpntc723.cup.hp.com 

SMB 

28 

31.569126 

hpntc723.cup.hp.com 

hpntc825.cup.hp.com 

TCP 


Info 


Iree Connect HndX Response 

Transaction2 Request FIND_FIRST2, Pattern: \# 
Transaction2 Response FIND.FIRST2, Files: . .. lan_trace; 
65285 > netbios.ssn [flCK] Seq=70080868 Ack=1091081291 Mir 
Tree Connect flndX Request, Path: WHPNTC825.RKWIN2K-N8TI1 
Tree Connect RndX Response 
Transaction2 Request GET_DFS_REFERR8L, File: 

Transaction2 Response GET_DFS_REFERRAL 
Transaction2 Request GET.DFS.REFERR8L, File; \RKWIN2K-NA1 
Transact ion2 Response f,FT TIFS RFFFRRAI 


Transaction2 Reqi 
Transaction2 Res| 
1255 > 445 CftCKl 
Tree Disconnect 
Tree Disconnect 
1255 > 445 1ACK1 


B Frame 1 (82 bytes on wire, 82 bytes captured) 

B Ethernet II, Src: 00:10:83:03:9C:26, Dst: 08:00:09:cb:99:8a 
E Internet Protocol, Src ftddr: hpntc263,cup,hp.com <15.13.114, 
E Transmission Control Protocol, Src Port: 65285 (85285), Dst 


212), Dst Addr: hpntc825.ct 
Port: netbios.ssn (139), Se 


0000 08 00 09 cb 99 8a 00 10 
0010 00 30 99 48 00 00 40 08 
0020 73 b8 ff 05 00 3b 04 2d 
0030 80 00 a9 98 00 00 02 04 


83 03 9f 26 08 00 45 00 ........ ...6...E. 

dc db Of Od 72 d4 Of Od .O.F..0.r... 

53 23 00 00 00 00 70 02 s....... S#....p. 

05 b4 03 03 00 01 ........ ...... 


SI Ethereal: Capture X| 


Captured Frames 

Total 
SCTP 
TCP 
UDP 
ICMP 
ARP 
OSPF 
GRE 
NetBIOS 
IPX 
VINES 
Other 


28 (100.0%) 

0 ( 0 . 0 %) 

26 (92.9%) 

2 (7.1 %) 

0 ( 0 . 0 %) 

0 ( 0 . 0 %) 

0 ( 0 . 0 %) 

0 ( 0 . 0 %) 

0 ( 0 . 0 %) 

0 ( 0 . 0 %) 

0 ( 0 . 0 %) 

0 ( 0 . 0 %) 


lin=16261 


lin=16222 


Running 00:00:47 


Stop 


:WIN2K-N81 


Filter: 


A 

1 

Reset 

Apply 

-——1 

dive capture in progress> 

_i_i_ 
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Extracting data... 


^ Ethe real^ 


Once network traffic is captured, how does one isolate the 
data of interest? 

Ethereal provides multiple methods: 

• Flexible C-style display filter syntax 

• Colorizing display 

• Edit -> Find Frame 
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Ethereal ■ 


...Extracting data: display filters. 


Ethereal display filter syntax, basic expression structure: 

[!] E [rel-op val] [log-ops E [rel-op val]]... 

where an element E is: 

protocol[.field 1[.field 2]][substr] 


the relational operators rel-op are: 


<= 


and the logical operators log-op are: 


and or not xor 
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...Extracting data: display filters... 


^ Ethe real^ 


Ethereal display-filter examples: 

• Display only the SMBs in a trace: 

smb 

• Display only SMB and Kerberos packets: 

smb || kerberos 

• Display only NetBIOS Session Service packets not 
containing SMBs: 

nbss && !smb 
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...Extracting data: display filters... 


^ Ethe real^ 


More Ethereal display-filter examples: 

• Display only packets from host A (ip address l.2.3.4) to 
host B (ip address 5.6.7.8): 

ip.src == A && ip.dst == B 

or 

ip.src eq 1.2.3.4 && ip.dst eq 5.6.7.8 

• Display only cifsnegotiate replies with capunix 
bit set: 

smb.server cap.unix == 1 
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Ethereal ■ 


...Extracting data: display filters. 


Ethereal interactive display-filter builder: 





smbclient-L-TGS-exchange.trace - Ethereal 


File 

Edit Capture Display Tools 



Hel 

J 

No. , 

Time 

Source 

Destination 

Protocol 

Info 

_\ 

15 

1.4/3529 

npntcb2b.cup*np*com 

npntc ( 25.cup. np.com 

NtlLUUUN 

unKnown i ommana;i/ 


14 

2.11165S 

hpntc723 ♦cup♦ hp♦com 

hpntc825 ♦cup♦ hp ♦com 

NETL0G0N 

SAM LOGON request from client 

j 

15 

2.111914 

hpntc723♦cup♦hp♦com 

hpntc825 * cup♦hp * com 

NETL0G0N 

SAM LOGON request from client 


18 

2.113928 

hpntc825♦cup»hp♦com 

hpntc723„cup.hp.com 

NETL0G0N 

Unknown Command:17 


17 

6.398945 

hpntc263♦cup♦hp * com 

hpntc825♦cup * hp.com 

KRB5 

TGS-REQ 


18 

6.405713 

hpntc825♦cup♦hp♦com 

Broadcast ( 

-BEE 

Uhn has 15.13.114.2120 TpI 1 15.13.115.184 

JL 


0 Frame 14 <297 bates on wire, 297 bates captured) 

0 Ethernet II, Src: 00;d0:b7:75;3f:41, Dst: 08:00:09:c 
0 Internet Protocol, Src ftddr: hpntc723.cup.hp.com <15 
0 User Datagram Protocol, Src Port: netbios_dgm <138), 
0 NetBIOS Datagram Service 
0 SMB <Server Message Block Protocol) 

0 SMB MailSlot Protocol 
0 Microsoft Windows Logon Protocol 


Ethereal: Display Filter 


New 


Change 


Copy 


Delete 


Add Expression.. 


aztec-puffin 
hpntc236-puffin 
puffin-hpntc43-aztec 
hpntc263-hpntc236 
hpntc263-hpntc236-aztec 
hpntc263-aztec 
hpntc263-hpntc43 
hpntc263-hpntc43-aztec 
hpntc43-aztec 
hpntc236-aztec 
hnl a-thurshvFia 


Filter name: \ 
Filter string: 


OK 


Apply 


Save 


Field name 


Relation 


Value (unsigned, 1 byte) 


d n/\ 

A is present 

l0x74 

0 SADMIND 

El SAMR 

!= 


unknown-0x6C 


a SAP 

> 


unknown-0x6D 


a sccp 

< 


unknown-0x6E 


a SCCPMG 

>= 


unknown-0x6F 


a scsi 



Tree Connect 


a sctp 



Tree Disconnect 


a sdp 

j 


Negotiate Protocol 


a SECIDMAP 



Session Setup AndX 


Serialization 



Logoff AndX 


SGI MOUNT 



Tree Connect AndX 

1 

Short frame 



unknown-0x76 

J 

a SIP 



unknown-0x77 


a SKINNY 



unknown-0x78 


a SLARP 



unknown-0x79 


a SHMP3 



unknown-0x7A 


a SLL 



unknown-0x7B 


B SMB 



unknown-0x7C 


SMB Command 



unknown-0x7D 


Word Count (WCT) 



unknown-0x7E 


Byte Count (BCC) 



unknown-0x7F 


Response to 



Query Information Disk 


Time from request 

/ 


Search 

/ 

'd _ J ^ 



'-I _ 1 



28 






























































Ethereal ■ 


...Extracting data: colorizing the display. 


Colorizing display: 


cifsclient-krb5-auth-ok-0.trace - Ethereal 


X] 


File 

Edit Capture Display Tools 



Hel 

P 

No. . 

Time 

Source 

Destination 

Protocol 

Info 

A 


8 9.598039 hpntc723.cup.hp.com 

9 9.598096 hpntc263.cup.hp.com 

10 9.598287 hpntc723.cup.hp.com 

11 9.600269 hpntc263.cup.hp.com 

12 9.600621 hpntc723.cup.hp.com 


hpntc263.cup.hp.com 
hpntc723.cup.hp.com 
hpntc263.cup.hp.com 
hpntc723.cup.hp.com 
hpntc263.cup.hp.com 


ARP 

TCP 

TCP 

NBSS 

NBSS 


15.13.114.53 is at 00:d0;b7:75;3f:41 

59889 > netbios.ssn CSYH3 Seq=1708251177 flck=0 U 

nBthins ssn > 59889 P3YN. flCKl 8oa=2?07710591 ftrl 



Ethereal: Apply Color Filters 


aJ 


13 9*604385 hpntc263.cup.hp.com hpntc723.cup.hp.com SMB 


Order 


Filter 


Edit 


14 9*605424 hpntc723.cup*hp.com 

15 9*644947 hpntc263.cup.hp.com 

16 9.652970 hpntc825.cup.hp.com 

17 9.660331 hpntc263.cup.hp.com 

18 9.734999 hpntc263.cup.hp.com 

19 9.740916 hpntc723.cup.hp.com 

20 9.809738 hpntc263.cup.hp.com 


hpntc263.cup.hp.com 

hpntc825.cup.hp.com 
hpntc263.cup.hp.com 
hpntc723.cup.hp.com 

hpntc723.cup.hp.com 
hpntc263.cup.hp.com 

hpntc723.cup.hp.com 


SMB 

KRB5 

KRB5 

TCP 

SMB 
SMB _ 

TCF 


B Frame 13 <140 bytes on wire, 140 bytes captured) 

0 Ethernet II, Src: 00:10:83:03:9f:26, Dst: 00:d0:b7:75:3f:41 
E Internet Protocol, Src Addr: hpntc263.cup.hp.com <15.13.114. 


loooo 

00 

dO 

b7 

75 

3f 

41 

00 

10 

00 

CM 

03 

9f 

26 

08 

00 

45 

00 

0010 

00 

7e 

8a 

ac 

00 

00 

40 

06 

ec 

aa 

Of 

Od 

72 

d4 

Of 

Od I 

0020 

72 

35 

e9 

fl 

00 

8b 

65 

dl 

d8 

72 

83 

96 

fd 

84 

50 

18 

0030 

80 

00 

eO 

ee 

00 

00 

00 

00 

00 

52 

ff 

53 

4d 

42 

72 

00 

|0040 

00 

00 

00 

62 

03 

c8 

00 

00 

00 

00 

00 

00 

00 

00 

00 

00 

Filter: 

J 

1 - 


I 

Name 

String 

| smb smb.cmd 

Up 

krb5 

kerberos 


Ethereal: Edit Color Filter 


x| 


Filter 


Name: krb5 


String: kerberos 


Add Expression.. 


Display Colors 


Ethereal: Choose background color for "krb5" 



Hue: r 


Saturation: 


Value: r 


Red: 


Green: P 


Blue: 


212.01 


1.00 


0.45 


0.00 


0.21 


0.45 


Cancel 


New... j 


Edit.. 


Delete 


Cancel 


OK 


Cancel 


Help 
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erea 


...Extracting data: Find Frame 


Edit Find Frame 


cifsclient-krt)5-auth-ok-0.trace - Ethereal 


File Edit Capture Display Tools 


Help 


No. . 

Time 

Source 

Destination 

Protocol 

Info 

12 

9.600621 hpntc723.cup.hp.com 

hpntc263. cup. hp. com 

NBSS 

Positive session response 

13 

9.604385 hpntc263.cup.hp.com 

hpntc723.cup.hp.com 

SMB 

Negotiate Protocol Request 


14 9.G05424 hpntc723.cup.hp.coni 

15 9.G44947 hpntc263,cup.hp.com 


hpntc263.cup.hp.com SMB 
hpntc825.cup.hp.com KRB5 


Negotiate Protocol Response 


Ethereal: Find Frame 


0 Flags; 0x62 
B Flags2: 0xc803 
1 ... .... 
.U. .!.! ! 
.. 0 . .... . 

...0. 

.... 1 ... . 




OK 


Cancel 


Reserved: 


, .... = Unicode Strings: Strings are Uni 

, .... = Error Code Type: Error codes are 

> .... = Execute-only Reads: Don't permit 

. .... = Dfs: Don't resolve pathnames uiit.i 

, .... = Extended Security Negotiation: Extended security negotiation is supported 
... .0.. .... = Long Names Used: Path names in request are not long file names 
... .... .0.. = Security Signatures: Security signatures are not supported 

... .... ..1. = Extended Attributes: Extended attributes are supported 

... .... ...1 = Long Names Allowed: Long file names are allowed in the response 
000000000000000000000000 


T 




0000 

00 

dO 

b7 

75 

3f 

41 

00 

10 

83 

03 

9f 

26 

08 

00 

45 

00 

...u?A.. ...8...E. 

A 

0010 

00 

7e 

8a 

ac 

00 

00 

40 

06 

ec 

aa 

Of 

Od 

72 

d4 

Of 

Od 

.“....8. ....r... 


0020 

72 

35 

e9 

fi 

00 

8b 

65 

dl 

d8 

72 

83 

96 

fd 

84 

50 

18 

r5....e. ,r....P, 

—1 

0030 

80 

00 

e0 

ee 

00 

00 

00 

00 

00 

52 

ff 

53 

4d 

42 

72 

00 

........ .R.SMBr. 


0040 

00 

00 

00 

62 

03 

c8 

00 

00 

00 

00 

00 

00 

00 

00 

00 

00 

♦♦♦b**** ♦ ♦♦♦♦♦♦♦ 

/ 


Reset 


Apply 


File: cifsclient-krb5-auth-ok-O.trace 
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Tracing for indefinite periods... 


^ Ethe real^ 


Problem: How to capture traffic for an indefinite period, 

while controlling disk consumption and size of trace files. 

Solution: tethereal “ring buffers” 

• tethereal is the terminal (non GUI) version of Ethereal 

• ring buffers are capture files: when the last is full, the first 
is reused 

• user specifies number of buffers (-b option), size in Kb or 
number of packets (-a option), and basename for output 
files (-w option) 

• capture files are binary; they can be opened in Ethereal or 
displayed as text by tethereal 
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...Tracing for indefinite periods 


^ Ethe real^ 


Ring buffer example: 

Run tethereal for an indefinite period, using four l-Mb ring 
buffers: 

$ tethereal -a filesize:1024 -b 4 -w eth.out 

• terminate with [Ctrl] [C] , or from shell script with 

kill -s int tethereal_process_id 

• do not terminate with kill -s KILL (signal 9) 

• output (note: file 1 reused—has most recent mtime ): 

$ 11 -rt eth* 


-rw- 1 root sys 1024897 Mar 22 16:53 eth_00002_20050322165358.out 

-rw- 1 root sys 1025096 Mar 22 16:53 eth_00003_20050322165359.out 

-rw- 1 root sys 1025100 Mar 22 16:54 eth_00004_20050322165359.out 

-rw- 1 root sys 485822 Mar 22 16:54 eth_00001 20050322165400.out 
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Conversion to and from other formats 


^ Ethe real^ 


• Ethereal easily reads and writes tcpdump ( libpcap ), nettl 
and Network Monitor traces with no special action 
required of user. It even unpacks gzipped files on the fly, 
via libz. Simply do File -> Open to read other formats 

directly. 

• editcap can also perform conversions: 

editcap [options] -F format infile outfile 

For example, to convert a nettl trace to Network Monitor 
v.i format: 


$ editcap -v -F netmonl nettl.out.TRCO \ 
nettl-to-netmon.cap 
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Installation, dependencies... 


^ Ethe real^ 


Where to get Ethereal bundles: 

• Source code, documentation, etc.: 

http://www.ethereal.com 

• SD depots for HP-UX: 

http://software.hp.com 

(from “Internet Express” bundle—search for 

“ethereal”) 


34 


...Installation, dependencies... 


^ Ethe real^ 


On Unix and Linux, Ethereal depends on the following 
open-source software: 

• gettext 
•glib 

• gtk+ 

• libiconv 

These are available on most Linux distributions, but on 
HP-UX they may have to be installed in order to compile 
or run Ethereal... 


• libpcap 

• snmp 

• zlib 


35 


...Installation, dependencies... 


^ Ethe real^ 


SD depots for Ethereal’s dependencies are available at the 
HP-UX Porting and Archive Centre: 

http://hpux.cs. Utah.edu/ 


NOTE: Ethereal’s dependencies sometimes change with 
new versions. 
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...Installation, dependencies 


^ Ethe real^ 


On Windows, Ethereal depends only on the Win32 port of 
libpcap, known as WinPcap. This consists of two dynamic 
link libraries: packet. dll and wpcap. dll, both released 
under a “BSD-style” license, and available at: 

http://winpcap.polito.it/ 
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Resources, Mailing Lists 


^ Ethe real^ 


The Ethereal website, www.ethereal.com, contains a 
wealth of information, including man pages and a 454- 
page user manual. 

Under the “Resources” section are links to: 

• various mailing lists: announce, users, dev, doc, cvs 

• sample captures 

• useful links: lots of information on protocols 

• etc. 

There is a wish list; you can add your request! 
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Ethereah 


Questions 


Questions? 
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Thank you 


@ Ethe real —| 


Thank you, and happy 
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